New Spirals ransomware encrypts victim network in under 24 hours

A new ransomware actor called Spirals completed a corporate intrusion, from initial access to data theft and encryption, in less than 24 hours.

The attack occurred in June and breached an IT services firm in South Asia after compromising an Internet Information Services (IIS) server exposed on the public web.

Researchers at Symantec’s Threat Hunter Team say that the attacker moved quickly after obtaining initial access and uploading an ASP.NET web shell.

The Spirals operator then bypassed User Account Control (UAC), enabled Remote Desktop, and created a local account to maintain persistent access. The attacker also dumped the SAM registry hive and LSASS process memory in an attempt to extract credentials.

Symantec investigators say that the threat actor tried to remove security software on the hosts, used WMI to move laterally to more than a dozen systems, and established redundant remote access channels using revsocks, Chisel, and Cloudflare tunnels.

A PowerShell payload disabled Microsoft Defender, removed its threat definitions, and stopped services associated with 23 backup, database, and virtualization products, including Veeam, VMware, Hyper-V, SQL Server, Oracle, and PostgreSQL, in preparation for the encryption stage.

The deployment of the Spirals payload (bitsadmin.exe) occurred less than 24 hours after the initial compromise, reports Symantec.

“The operator began deploying the ransomware payload across the victim’s network using PsExec running as SYSTEM,” the researchers explain.

“The payload was named bitsadmin.exe, likely to masquerade as the legitimate Windows utility associated with the Background Intelligent Transfer Service, encrypting files on impacted machines.”

Spirals is a Rust-based ransomware family that uses AES-128 keys protected by an attacker-controlled ECDH P-256 public key.

The ransomware uses intermittent encryption for files larger than 5MB to accelerate the process.

A ransom note named RECOVERY_SECTION.log is dropped on the C:\ drive, containing instructions to negotiate a ransom.

Victims are threatened with public exposure of the stolen data within six days, unless the attacker is paid.

Despite the presence of the extortion portal, Symantec observed Spirals in a single case so far, so it’s unclear whether the new family is intended for broader cybercrime deployment or if it was a custom payload created specifically for this attack at the IT services firm.

Symantec’s report provides network indicators and file hashes associated with the documented Spirals attack to help organizations worldwide set up defenses against this threat group.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

New Prinz Eugen ransomware prioritizes recent files for encryption

JadePuffer ransomware used AI agent to automate entire attack

Blackfield ransomware asks Nidec Corporation for $2 million ransom

US charges alleged operators of Russian bulletproof hosting service

US sanctions VPN, malware providers for enabling ransomware attacks

Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days

Microsoft: Some Dell PCs shut down after recent Windows updates

Windows 11 KB5101650 & KB5099414 cumulative updates released

How Mature Is Your AI Security Program? Take the Free AI Maturity Assessment.

AI is a data-breach time bomb: Read the new report

AI broke vulnerability management. Get the guide CISOs use to shift budget to BAS.

#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.

Pentest your web apps on-demand. Find what humans miss. Scope and launch a pentest in minutes.

Terms of Use – Privacy Policy – Ethics Statement – Affiliate Disclosure

Read our posting guidelinese to learn what content is prohibited.